DNS scavenging is a Microsoft feature that enables the cleanup and removal of outdated DNS resources. This automates the deletion of old records; otherwise, old records must be manually removed or the size of the DNS database can become too large and have an affect on performance. Here are the steps to enable DNS Scavenging.
Deploying DNS Scavenging
The following steps are required to enable DNS Scavenging:
- 1. Enable DNS Scavenging on the Grid
- 2. Set up the scavenging policy
- 3. Automatically scavenge stale DNS records
- 4. Manually scavenge stale DNS records
Enabling DNS Scavenging
This section describes how to enable DNS Scavenging on the Grid.
1. Go to Grid > Grid Manager > DNS > Services.
2. Select the Edit > Grid DNS Properties from the toolbar.
3. Click Toggle Advanced Mode to ensure that Advanced mode is on, and click the DNS Scavenging tab in the
Grid Properties Editor.
4. Select Enable record scavenging
Setting up Scavenging Rules
After enabling Infoblox DNS Scavenging, configure scavenging polices to identify which stale DNS records are going to be scavenged.
Resource Record Type
The resource record type policy allows users to define a record type for scavenging. A record is reclaimable if its type matches the type configured in the policy.
Supported types are: A, AAAA, PTR, CNAME, DNAME, MX, SRV, NAPTR, and TXT.
NOTE: NS, SOA, DNSSEC and HOST records are not supported for scavenging.
In the following example a scavenging policy is set for A records.
5. In the Grid DNS Properties editor, in the DNS Scavenging tab, set the Matching rule option so that Resource Record Type equals A Record.
The operator values are equals and does not equal. If the operator in this example is set to does not equal, then all supported resource records will to be scavenged except A records.
You can repeat the process for AAAA, PTR, CNAME, DNAME, MX, SRV, NAPTR, and TXT.
6. Click Save & Close.
Creation Time
The Creation Time scavenging policy is based on the record creation timestamp. If a record does not have creation time set, it will never be marked reclaimable based on this policy. In this example, the following creation time policy is set to scavenge records that are older than a day.
1. In the Grid DNS Properties editor, in the DNS Scavenging tab, set the Matching rule option so that the Creation Time is greater than 1 day.
Setting the creation time to greater than 52 weeks scavenges records that are more than a year old.
2. Click Save & Close.
Last Queried Time
This policy allows users to define a scavenging policy based on last queried timestamp, which requires last queried enabled on zones. In this example, records that are not queried for more than ten days will be scavenged.
1. In the Grid DNS Properties editor, in the DNS Scavenging tab, select Enable last queried time monitoring for resource records and Enable last queried time monitoring for zones options. Set the Matching rule option such that Last Queried Time is greater than 10 days.
2. Click Save & Close.
Last Discovered Time
The Last Discovered Time policy allows users to define a scavenging policy based on last seen timestamp. This policy is for A, AAAA, and PTR records.
1. To set this policy to scavenge records last seen more than a day ago, in the Grid DNS Properties editor, in the DNS Scavenging tab, set the Matching rule option so that Last Discovered Time is greater than 1 day.
2. Click Save & Close.
NOTE: To understand how the discovery process works in NIOS, refer to the chapter on “IP Discovery and vDiscovery” in the NIOS Admin Guide.
Record Source
The Record Source policy enables NIOS to scavenge records based on their source: Static or Dynamic. Static records cannot be scavenged automatically.
NOTE: Users can omit this rule if both Static and Dynamic records need to be scavenged.
1. To scavenge Static records only, in the Grid DNS Properties editor, in the DNS Scavenging tab, set the Matching rule option so that Records Source equals Static.
2. Click Save & Close.
Associated Records
The Associated Records policy specifies whether to check for associated records existence.
1. To scavenge A records (only if associated records exist), in the Grid DNS Properties editor, in the DNS Scavenging tab, set the Matching rule option so that Associated Record exists is chosen.
2. Click Save & Close.
NOTE: Record associations are not definable and are supported only for Address records (A/AAAA/PTR).
Extensible Attributes
The Extensible Attributes scavenging policy makes a record reclaimable if it has associated Extensible Attributes as defined in the policy.
1. To scavenge A records that have Extensible Attribute Site with a value of Santa Clara Office, in the Grid DNS Properties editor, in the DNS Scavenging tab, set two Matching rule options:
- Resource Record Type equals A Record
- Site equals Santa Clara Office
The extensible attributes matching is a logical AND with the policy above.
Creating a Scavenging Policy
The scavenging policy consists of combination of scavenging rules discussed in previous section. The scavenging rules support AND/OR operators. The rules can also be nested to create complex scavenging policies. The same rule type can be used more than once (for example: two rules for resource record type that match A and AAAA records). The Extensible Attribute (EA) rules do not support nesting and EA rules use AND logic with the other set of rules.
NOTE: In the screen captures below, the words AND and OR in red have been added to make choice clear; they do not appear in the actual UI.
With the all keyword, rules at the same level have an AND between them.
With the any keyword, rules at the same level have an OR between them.
Scavenging rules can be nested. Users can create levels in the scavenging policy and have the option of using AND/OR operators within levels and within the same level rules for more scavenging options.
Consider this nested equation: Rule 1 AND Rule 2 AND Rule 3 (Rule A (Rule a AND Rule b) OR Rule B (Rule c AND Rule d) AND EA Rule
Where Rule 1, Rule 2, Rule 3, and EA Rule are top-level rules with AND operations between them. Rule A and Rule B are sub-level rules with further sub-levels of rules. User have maximum flexibility in creating scavenging policies, as shown below.
Automatically Scavenging Stale Records
Users can make a DNS scavenging process recurring so that it automatically runs on a set schedule.
1. In the Grid DNS Properties editor, in the DNS Scavenging tab, check the option Enable scheduled record scavenging.
2. If you also need to delete the records after marking them stale during the scavenging cycle, then check the option After marking a record as reclaimable, automatically scavenge the record. Otherwise leave the option unchecked.
NOTE: Only Dynamic records are automatically deleted.
3. To specify the schedule, click the calendar icon next to the Schedule option.
4. In the Scavenging Scheduler screen, specify the frequency on the left (Once, Hourly, Daily, Weekly, and Monthly) and associated settings on the right.
In this example, NIOS will run the scavenging process Weekly on Sunday at 10 past midnight Pacific Time.
Another example specifies that the scavenging process will run Monthly every 2 months on the 29th day of that month at 10 past midnight Pacific Time.
In summary, NIOS provides broad scheduling options for an automated DNS scavenging process.
Manually Scavenging Stale Records
The DNS scavenging process can also be run manually on an as-needed basis. Manual scavenging can be performed on Grid, View, and Zone. “Grid scavenging” is performed on all views and all zones within those views. View Scavenging is for all zones in a particular view and Zone scavenging is for a particular zone.
1. Go to Data Management > DNS > Zones.
2. Under the toolbar on right-hand side, click on the Scavenge Records drop-down menu.
NOTE: If no zone is selected or the user is not in a zone, the Scavenge Zone Records option is greyed out.
In this example, scavenging will be run manually on a DNS zone called contoso.com.
1. Click on the gear icon next to the zone contoso.com in the Data Management > DNS > Zones tab and click Scavenge Records.
The Scavenge Zone Records screen provides options.
2. To scavenge stale records, select Scavenge Records, and then choose any of the following:
- To flag only stale records, select option Mark recrods as reclaimable
- To delete dynamic records that were previously flagged, select Reclaim records marked as reclaimable.
- To flag and delete all records, select both options.
3. In this example, the first option is selected. Click Start to detect and flag stale records.
4. To view stale records flagged by NIOS, go to the particular zone the scavenging process was run on. In this example it is contoso.com zone. Inside the zone two records flagged as Reclaimable, and the Reclaimable column shows a value of Yes for these records.
Manually Deleting Reclaimable Records
To delete reclaimable records, first find marked records. Using a NIOS quick filter is a way to easily accomplish this. In this example, find all reclaimable records in the contoso.com zone and delete them all in one action.
1. Click show filter to bring up filter options.
- From the choose filter drop-down menu, select Reclaimable.
- From the choose operator drop-down menu, select equals, and select Yes as shown in the figure below.
2. Click Apply to see all reclaimable records.
NOTE: Static records can be scavenged only by deleting them manually.
3. Select all records by checking the topmost checkbox.
4. Click Delete in the Toolbar to delete all selected records at once.
Reset Reclaimable Flag
Infoblox NIOS provides the ability to clear the reclaimable flag on stale records. This is extremely useful if an administrator wants to perform a new scavenging analysis starting with a clean slate. The reclaimable flag can be cleared at a Grid, view, or zone level.
1. To clear reclaimable flags on records in a zone, click on the gear icon next to a zone. In this example it is contoso.com under Data Management > DNS > Zones and click Scavenge Records
2. Select the Reset reclaimable flag option and click Start.
Disabling Scavenging on Individual Resource Records
Infoblox NIOS provides protection for individual resource records to exclude them from being scavenged. The option is to disable scavenging for these records. Disabling scavenging for a record only prevents the record from being deleted, but the record can still be marked as reclaimable for the purpose of analysis.
In this example, scavenging is disabled for the A record web.contoso.com by editing its properties in the DNS Scavenging tab.
Using Multiple Matching Rules in a Scavenging Policy
This section describes some use cases to delete stale DNS records, which helps users create a scavenging policy using multiple matching rules. Scavenging specifics are determined by users based on their specific networking environment.
Static Records Not Queried in a Year
An administrator needs to clean up a DNS database by removing all those static records that have not been queried for more than a year. You can set matching rules for this in NIOS, as shown below.
Dynamic Records Created More Than a Month Ago
An administrator needs to clean up a DNS database by removing all those dynamic records that were created more than 30 days ago. You can set matching rules for this in NIOS, as shown below.
Simulate Microsoft DNS Scavenging Behavior
This use case provides the same scavenging behavior as is available on Microsoft DNS servers. You can set up matching rules to accomplish Microsoft DNS scavenging behavior, as shown below.
Recycle Bin
Deleted stale DNS resource records end up in the Recycle bin. Users can view all deleted records in the Recycle Bin with their type, zone, and data and see whether the deletion was through a recurring scavenging process or deleted manually by a user. Users can either completely empty the stale entries or recover deleted records if required.
1. Click Show All under Recycle Bin to display the Recycle Bin window.
This is the result from clicking the Show All in Recycle Bin.
A new powerful feature introduced in NIOS 7.3 is the use of quick filters in the Recycle Bin. Different criteria can be used to search for deleted entries in Recycle Bin and records recovered if needed. For example, if a user wants to recover A records deleted by a user named admin, a user can build a quick filter as follows.
1. Click show filter and
- From the Choose Filter drop-down menu, select Type.
- From the Choose Operator drop-down menu, select equals.
- In the value field, select A record.
2. Click the plus (+) sign to add a second filter and
- In the Choose Filter drop-down menu, select Admin.
- In the Choose Operator drop-down menu, select equals.
- In value field, type admin.
3. Click Apply.
Dashboard Widget
A new dashboard widget in NIOS 7.3 named DNS Record Scavenging shows the status and results of the scavenging process. It displays information about current and previous scavenging tasks, which includes the time the task ran and finished, number of records scavenged, and level of hierarchy the task ran at, i.e. Grid, view or zone. The refresh interval can be set as desired in seconds.
Smart Folders
With DNS Scavenging, a new smart folder is introduced called Reclaimable. It is the one place where an IT
administrator can take a peek at all reclaimable addresses in all applicable zones hosted by the Grid.
1. Go to Smart Folders > My Smart Folders > Create.
2. Give the Smart Folder a name, for example Reclaimable Records.
3. When you select Reclaimable from Choose Filter drop-down menu, the operator will be selected automatically as equals.
4. Select Yes and click Apply.
5. Click Save.
Sun Management
Sun Management is a Value Added Reseller (VAR) focusing on Network and Internetwork Security Requirements. We work primarily in the Mid Atlantic area: Maryland (MD), Virginia (VA), District of Columbia (DC), West Virginia (WV), Delaware (DE) and Pennsylvania (PA). Our credentials include Palo Alto Networks Services Provider, Palo Alto Networks Certified Training Partner, and Palo Alto Networks Certified Managed Security Service Provider (MSSP) using CORTEX XSOAR in a multi-tenant environment.
We address requirements concerning Network Detection and Response (NDR); internal and external TLS and SSL requirements for complete data visibility; End Point Detection and Response (EDR); Gramm Leach Bliley Act, HIPPA, Sarbanes Oaxley and PCI DSS; penetration testing and firewall optimization; and Data Protection by tracking all Data Flows within the network, across applications, between users/servers and in the cloud. Contact us at (888) 773-9422 to setup a POC or if you just want more information.
Download PDF